Author: jmm Date: 2017-11-24 17:37:26 +0000 (Fri, 24 Nov 2017) New Revision: 57998
Modified: data/CVE/list Log: scala non-issue convert otrs issue to NOTE, apparently bogus fix pnp4nagios entry, all suites are n/a libraw, lame, libcatalyst-plugin-static-simple-perl, lynx, ohcount no-dsa Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-11-24 15:40:28 UTC (rev 57997) +++ data/CVE/list 2017-11-24 17:37:26 UTC (rev 57998) @@ -44,6 +44,8 @@ NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted ...) - ohcount <unfixed> (bug #882372) + [stretch] - ohcount <no-dsa> (Minor issue) + [jessie] - ohcount <no-dsa> (Minor issue) CVE-2017-16925 RESERVED CVE-2017-16924 @@ -249,7 +251,9 @@ CVE-2017-1000211 (Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML ...) {DLA-1175-1} - lynx 2.8.9dev16-1 + [stretch] - lynx <no-dsa> (Minor issue) - lynx-cur <removed> + [jessie] - lynx-cur <no-dsa> (Minor issue) NOTE: https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9 CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is vulnerable to ...) - htslib 1.4.1-1 @@ -648,8 +652,7 @@ CVE-2017-16835 RESERVED CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an ...) - - pnp4nagios <removed> - [wheezy] - pnp4nagios <not-affected> (/etc/pnp4nagios and its content is installed as root by the Debian package) + - pnp4nagios <not-affected> (/etc/pnp4nagios and its content is installed as root by the Debian package) NOTE: https://github.com/lingej/pnp4nagios/issues/140 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro before ...) NOT-FOR-US: Gemirro @@ -2148,6 +2151,8 @@ NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows ...) - libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458) + [stretch] - libcatalyst-plugin-static-simple-perl <no-dsa> (Minor issue) + [jessie] - libcatalyst-plugin-static-simple-perl <no-dsa> (Minor issue) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558 CVE-2017-16241 RESERVED @@ -4795,12 +4800,12 @@ NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=eb38e1bc3740725ca29a535351de94107ec58d51 CVE-2017-15288 (The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, ...) - - scala <unfixed> + - scala <unfixed> (unimportant) NOTE: http://scala-lang.org/news/security-update-nov17.html NOTE: For 2.11.x: https://github.com/scala/scala/pull/6108 NOTE: For 2.12.x: https://github.com/scala/scala/pull/6120 NOTE: For 2.10.x: https://github.com/scala/scala/pull/6128 - TODO: check + NOTE: Neutralised by kernel hardening CVE-2017-15287 (There is XSS in the BouquetEditor WebPlugin for Dream Multimedia ...) NOT-FOR-US: BouquetEditor WebPlugin CVE-2017-15286 (SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in ...) @@ -5622,6 +5627,8 @@ NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 CVE-2017-15019 (LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init ...) - lame <unfixed> + [stretch] - lame <ignored> (Minor issue) + [jessie] - lame <ignored> (Minor issue) NOTE: https://sourceforge.net/p/lame/bugs/477/ CVE-2017-15018 (LAME 3.99.5 has a heap-based buffer over-read when handling a malformed ...) - lame 3.99.5+repack1-8 @@ -9386,6 +9393,8 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484192 CVE-2017-13735 (There is a floating point exception in the kodak_radc_load_raw function ...) - libraw 0.18.5-1 (low; bug #874729) + [stretch] - libraw <no-dsa> (Minor issue) + [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/issues/96 NOTE: Isolated patch: https://github.com/LibRaw/LibRaw/files/1276421/radc_divbyzero.txt @@ -22463,11 +22472,7 @@ [wheezy] - vlc <end-of-life> (Not supported in wheezy LTS) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3 CVE-2017-9299 (Open Ticket Request System (OTRS) 3.3.9 has XSS in ...) - - otrs2 <unfixed> (unimportant) - NOTE: The issue is most likely fixed in the 3.x series already before 3.3.17. - NOTE: The exact issue, fixing commits and upstream version was not yet tracked - NOTE: down. - NOTE: Furthermore the original report is quite vague/unclear and upstream can + NOTE: This report for OTRS is quite vague/unclear and upstream can NOTE: not track the issue down to a specific fixed release claims though that NOTE: it should not be reproducible with versions later than 3.3.17. CVE-2017-9298 (Cross-site scripting vulnerability in Hitachi Device Manager before ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits